Compromises can happen quickly – a fact the folks at Sentrigo were recently reminded of when attackers came knocking on their digital door.
On Dec. 1, the company deployed an instance of the Oracle database running on Amazon EC2. Six days later, it was pwned. Fortunately, no production data was in it – just testing data, as the instance was only put up there so the company could demonstrate security software.
“In this instance, we were demoing our vulnerability assessment capabilities to scan the database and find various issues and mis-configurations,” explained Sentrigo CTO Slavik Markovich. “We did have monitoring in place but we did not deploy any blocking rules. And so, we were alerted to the attack and at that point it became interesting to us to let the attackers continue and see in real-time how an real-world attack evolves.”
The attackers discovered the instance with some simple port scanning of servers on the Internet, he said. When they found an open port, they identified it and the Oracle instance running behind it. From there, they were able to get access to the database and escalate privileges.
“The initial connection was done to a demo account without any privileges by brute-forcing the password,” he said. “The elevation to higher level privileges exploited a known vulnerability in one of the Oracle components (OLAP). Then, using these higher privileges the hacker took control of the OS using dbms_scheduler.”
He admitted the Oracle instance wasn’t fully patched – they were using version 11.107 – but was still struck by the speed in which the compromise happened nonetheless.
Andy Feit, vice president of marketing at Sentrigo, said that anonymity does not offer true protection.
“Nobody knew whose server this was, it was just out there,” Feit said.
He added that the situation could have occurred with any cloud provider, or a company-owned server outside the firewall, and that Amazon has a “nice built-in firewall” and monitors outbound traffic from instances to prevent port scanning.
“On the other hand, in the future, I definitely see Amazon and similar providers providing much more like out-of-the-box IDS/IPS and other network controls,” the CTO said.
The moral of the story – don’t expose your database over the Internet without proper security, including firewalls and access controls, and make sure the database is fully patched.